Bug 1396981 (CVE-2016-9399)
Summary: | CVE-2016-9399 jasper: reachable assertion in calcstepsizes() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | abhgupta, anemec, bmcclain, cfergeau, dblechte, dmcphers, eedri, erik-fedora, jialiu, jokerman, jridky, lmeyer, lsurette, mgoldboi, michal.skrivanek, mike, mmccomas, rdieter, rh-spice-bugs, rjones, slawomir, srevivo, tiwillia, ykaul |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jasper 2.0.17 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-01-18 06:27:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1396987, 1396988, 1396989, 1434464, 1910578 | ||
Bug Blocks: | 1449402 |
Description
Adam Mariš
2016-11-21 10:22:28 UTC
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1396987] Affects: epel-7 [bug 1396989] Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1396986] Affects: epel-5 [bug 1396988] Upstream bug report: https://github.com/mdadams/jasper/issues/83 Original reporter's advisory: https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/ Relevant information form the advisory: Affected version: 1.900.22 Output/failure: warning: trailing garbage in marker segment (9 bytes) warning: trailing garbage in marker segment (28 bytes) warning: trailing garbage in marker segment (40 bytes) warning: ignoring unknown marker segment (0xffee) type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 40 e4 e4 00 10 00 00 4f warning: trailing garbage in marker segment (12 bytes) imginfo: /tmp/portage/media-libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_dec.c:1650: void calcstepsizes(uint_fast16_t, int, uint_fast16_t *): Assertion `!((expn + (numrlvls – 1) – (numrlvls – 1 – ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))’ failed. Commit fix: N/A Fixed version: N/A Testcase: https://github.com/asarubbo/poc/blob/master/00044-jasper-assert-calcstepsizes CVE: CVE-2016-9399 Upstream bug is still open and unfixed. The issue is not reproducible in version 1.900.26 and later, as there's limit on maximum number of samples in one image used in those versions. The issue is reproducible in the latest 2.0.12 when no samples limit is used (specified using --max-samples 0 option for jasper command line tools). Upstream commit: https://github.com/jasper-software/jasper/commit/84d00fb29a22e360c2ff91bdc2cd81c288826bfc The issue was fixed upstream in jasper 2.0.17. *** Bug 1488964 has been marked as a duplicate of this bug. *** This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-9399 |